for i in $( ls *.vmdk ); do qemu-img convert -O raw $i ~/$i.dd; done
cat s001.vmdk.dd s002.vmdk.dd s003.vmdk.dd > monolithic_image.dd
Friday, May 15, 2009
HOWTO Convert a windows vmware image to a linux qemu/kvm
This is a good HOWTO for converting windows vmware images to linux Kernel Virtual Machines (KVMs). Note that if you don't have a single monolithic vmdk disk file, you can just run qemu-img over each individual file, converting it to raw, then cat them together in order. I tried this and it worked a treat:
Monday, May 11, 2009
Verify ssl certificates and keys
The following openssl commands are handy for verifying/inspecting/converting keys/certificates and inspecting CRLs:
# Check a private key openssl rsa -in /etc/apache2/ssl/server.key -check -noout -text
# Verify this cert against this CA list openssl verify -verbose -purpose sslserver -CAfile /etc/ssl/cacert.pem /etc/apache2/ssl/server.pem
# Display cert details openssl x509 -in /var/cert.pem -text -noout
# What purposes does this cert have? openssl x509 -in mycert.pem -purpose
# Connect to a server and show the certs openssl s_client -debug -connect localhost:443 -showcerts
# Inspect a CRL openssl crl -inform DER -in blah.crl -text -noout
# Convert DER (.crt .cert .der) to PEM
openssl x509 -inform der -in cert.cer -out cert.pem
# Inspect DER without converting
openssl x509 -inform der -in cert.cer -noout -text
All calls on Samsung F480 appearing as "unknown" number
My phone wasn't displaying any numbers when I received a call - even though I had corresponding entries in the phonebook. For the benefit of others googling for a solution to this problem: it isn't your phone. It doesn't matter if your contacts are in the phone or in the sim. Most likely you need to call your provider and make sure caller id forwarding is enabled on your service. This can happen when you change providers or start a new service.
Sunday, May 10, 2009
Convert epoch timestamp (seconds since 1970) on the command line
Use this to convert epoch timestamp (seconds since 1970) on the command line. For some reason the man page doesn't reveal this secret:
If you have the epoch seconds in hex, use this on linux:
date -d @1241958464
echo $((0x4f91d6f8)) | xargs -I## date -d @##The same thing is much easier on OS X:
date -r 0x4f91d6f8
Friday, May 8, 2009
Setting up a Samsung F480 for Gmail IMAP and SMTP
Set up one of these recently. Google's instructions are pretty good but I thought I'd document specifically for this phone:
The openssl client came in handy for checking the google certificates, which for some reason are signed by their own ca:
- Enable IMAP in gmail settings
- Incoming settings:
- IMAP4 server: imap.gmail.com
- Port: 993
- Security type: SSL (always)
- IMAP4 server: imap.gmail.com
- Outgoing settings:
- SMTP server: smtp.gmail.com
- Port: 465
- Secure connection: SSL
- SMTP server: smtp.gmail.com
- APOP login: No
- My address: myname@gmail.com
- Use SMTP auth: Yes
- Same as POP3/IMAP4: Yes
The openssl client came in handy for checking the google certificates, which for some reason are signed by their own ca:
openssl s_client -connect smtp.gmail.com:465 -showcerts
Friday, May 1, 2009
Creating certificates for ldaps on windows 2003 server using openssl CA
/usr/lib/ssl/misc/CA.sh -newca
(Set a password for the CA)
/usr/lib/ssl/misc/CA.sh -newreq
(Set a password for the key for this cert)
/usr/lib/ssl/misc/CA.sh -sign
openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out keyandcert.p12
(Consolidate key and cert into single file, protect with 'import password')
Then test cert is valid with:
openssl pkcs12 -in keyandcert.p12 -noout -info
Import CA cert:
- Start | Run | mmc
- Add snap-in Certificates
- Right click on Trusted Root Certificates | All tasks | Import | Choose the CA certificate: demoCA/cacert.pem | Choose Trusted Root CA store
- Find the certificate in the Trusted Root CA store | Right click | Properties | Enable only the following: untick everything except Server Authentication and Client Authentication
Import server cert:
- Right click on Personal Certificates | All tasks | Import | Choose the server certificate: keyandcert.p12 | Enter private key password, mark as exportable | Choose Personal store
- Find the certificate in Peronal store | Dbl click | Ensure the certificate dates are correct and the phrase "You have a private key that corresponds to this certificate" is present on the General tab.
Test with python (install the CA cert in a directory first):
import ldap
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,"/etc/ssl/cacert.pem")
ldap.set_option(ldap.OPT_DEBUG_LEVEL,255)
l = ldap.initialize("ldap://computername.mydom.com")
l.start_tls_s()
This should return successfully. If not, turn up the schannel logging level on the windows box by setting the eventlogging key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\EventLogging = 0x4
Then re-try the python code. You should see the following events from schannel in the event viewer:
- Creating an SSL server credential
- Server credential has following properties....
- An SSL server handshake completed successfully
The Microsoft HOWTO for doing this is pretty poor. It says all you need to do is install the certificates and reboot, then the DC will be listening on the ldaps port (tcp 686). In fact, a reboot is *not* required to get TLS working on the regular ldap port using start_tls as above, and even if you reboot the DC won't listen on port 686. I have trawled the net and can't find any other instructions for how to get ldaps listening.
I hate this windows black magic voodoo shit where debugging is practically impossible, error messages are completely uninformative, and rebooting is the cure for everything.
Update: If you need to update expired certificates, that does require a reboot. Deleting the old certs and restarting the certificate service doesn't cut it. To debug you can run a packet capture and look at the 'server hello' in wireshark; it parses the whole certificate so you can see what you are serving.
Subscribe to:
Posts (Atom)